Re: Exchange Reverse Lookup on Port 137?
From: Fred Blum (h.f.blum_at_marketconnectnospam.nl)
Date: 11/23/04
- Next message: billyw: "C0000017 not enough quota problem"
- Previous message: Rodger Stronghurst: "Re: Redirecting Favorites Folder"
- In reply to: Fred Blum: "Re: Exchange Reverse Lookup on Port 137?"
- Next in thread: Fred Blum: "Re: Exchange Reverse Lookup on Port 137?"
- Reply: Fred Blum: "Re: Exchange Reverse Lookup on Port 137?"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 23 Nov 2004 17:52:43 +0100
Doing a windump I found that my SBS server allowed a remote connection on
port 135. This connection was not listed in logs as blocked. I added a 135
block all rule.
Now conenctions are blocked.
ISA should block this by default. In the past we used the internet to do a
remote_server DTS. So I added an allow rule with destination off the remote
site. Could this have been a possible infection. My server was fully patched
and had a sa password.
TIA,
Fred
"Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
news:eUuld7K0EHA.1204@TK2MSFTNGP10.phx.gbl...
>
> Mariette,
>
> During setup I gave the sa account the same password as the administrator.
> The sa password in the security section is not empty. I see *****. On the
> SQL server properties I specified security to use SQL and windows
> authentication. I've disabled and restarted. Will send the ISA logs in
> 24h.
> Port 137 has a package block. Furthermore I'm blocking full IP ranges in
> Korea. GRC still gives me all green across the board except port 25.
>
> They are trying with a man in the middle approach. Maybe they are
> pissed-off because we took there P2P cracked software site off the air. I
> found an IP adress of someone nearby trying to connect. A housing coop in
> Tilburg. I phoned there sys admins and informed that I had found there IP
> adress in my log and that i had checked there port 445 with a port scanner
> and found it to be open. They were reluctant at first, so together with
> them I ran a full scan and found this IP adress completely open to the
> Internet. It was a remote site that connected via VPN to there domain.
> They hadn't installed a firewall.
>
> Fred
> "ignorance is a bliss"
>
> "Mariette Knap [SBS MVP]" <mariette@smallbizserver.local> wrote in message
> news:%23gA%23SRK0EHA.4004@tk2msftngp13.phx.gbl...
>> In news:es$Kz6H0EHA.1932@TK2MSFTNGP09.phx.gbl,
>> Fred Blum <h.f.blum@marketconnectnospam.nl> wrote:
>>
>>> searched google.com with Outbound port 137 connections.
>>>
>>> This exact one is:
>>> http://groups.google.com/groups?q=outbound+port+137+connections&hl=nl&lr=&selm=a1degc%242ed%241%40canopus.cc.umanitoba.ca&rnum=1
>>>
>>> But there are others aswell saying that if a reverse DNS lookup fails
>>> (spammers ?) windows will revert to trying on port 137 with Netbeui.
>>> Reverse lookup has not been enabled on my SMTP server. I added the
>>> local DNS server adress just in case some other process also works
>>> with this DNS entry.
>>
>> Fred,
>>
>> I have analysed the ISA logs you send to Marina. Please disable SQL
>> services on the SBS server, reboot the server and send me after 24 hours
>> the ISA logs.
>>
>> Your server is not hacked from the outside but from the inside. I think
>> your SQL database has a sa null password and someone inside your Lan has
>> catched a virus like SQLSnake/Spida Worm (May 2002) or
>> SQL-Slammer/SQL-Hell/Sapphire Worm (January 2003)
>>
>> --
>> Mariėtte Knap - MVP
>> http://www.smallbizserver.net
>> Take part in SBS forum:
>> http://www.smallbizserver.net/Default.aspx?tabid=154
>>
>>
>
>
- Next message: billyw: "C0000017 not enough quota problem"
- Previous message: Rodger Stronghurst: "Re: Redirecting Favorites Folder"
- In reply to: Fred Blum: "Re: Exchange Reverse Lookup on Port 137?"
- Next in thread: Fred Blum: "Re: Exchange Reverse Lookup on Port 137?"
- Reply: Fred Blum: "Re: Exchange Reverse Lookup on Port 137?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
